The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
RFC 4945

 
Document
Type RFC - Proposed Standard (August 2007; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream
WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG
IESG state RFC 4945 (Proposed Standard)
Telechat date
Responsible AD Russ Housley
Send notices to pki4ipsec-chairs@ietf.org

Email authors IPR References Referenced by Nits Search lists

Network Working Group                                          B. Korver
Request for Comments: 4945                       Network Resonance, Inc.
Category: Standards Track                                    August 2007

 The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   The Internet Key Exchange (IKE) and Public Key Infrastructure for
   X.509 (PKIX) certificate profile both provide frameworks that must be
   profiled for use in a given application.  This document provides a
   profile of IKE and PKIX that defines the requirements for using PKI
   technology in the context of IKE/IPsec.  The document complements
   protocol specifications such as IKEv1 and IKEv2, which assume the
   existence of public key certificates and related keying materials,
   but which do not address PKI issues explicitly.  This document
   addresses those issues.  The intended audience is implementers of PKI
   for IPsec.

Korver                      Standards Track                     [Page 1]
RFC 4945            PKI Profile for IKE/ISAKMP/PKIX          August 2007

Table of Contents

   1. Introduction ....................................................4
   2. Terms and Definitions ...........................................4
   3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP ................5
      3.1. Identification Payload .....................................5
           3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR .......................7
           3.1.2. ID_FQDN .............................................9
           3.1.3. ID_USER_FQDN .......................................10
           3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET,
                  ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE .............11
           3.1.5. ID_DER_ASN1_DN .....................................11
           3.1.6. ID_DER_ASN1_GN .....................................12
           3.1.7. ID_KEY_ID ..........................................12
           3.1.8. Selecting an Identity from a Certificate ...........12
           3.1.9. Subject for DN Only ................................12
           3.1.10. Binding Identity to Policy ........................13
      3.2. Certificate Request Payload ...............................13
           3.2.1. Certificate Type ...................................14
           3.2.2. X.509 Certificate - Signature ......................14
           3.2.3. Revocation Lists (CRL and ARL) .....................14
           3.2.4. PKCS #7 wrapped X.509 certificate ..................15
           3.2.5. Location of Certificate Request Payloads ...........15
           3.2.6. Presence or Absence of Certificate Request
                  Payloads ...........................................15
           3.2.7. Certificate Requests ...............................15
           3.2.8. Robustness .........................................18
           3.2.9. Optimizations ......................................18
      3.3. Certificate Payload .......................................19
           3.3.1. Certificate Type ...................................20
           3.3.2. X.509 Certificate - Signature ......................20
           3.3.3. Revocation Lists (CRL and ARL) .....................20
           3.3.4. PKCS #7 Wrapped X.509 Certificate ..................20
           3.3.5. Location of Certificate Payloads ...................21
           3.3.6. Certificate Payloads Not Mandatory .................21
           3.3.7. Response to Multiple Certification
                  Authority Proposals ................................21
           3.3.8. Using Local Keying Materials .......................21
           3.3.9. Multiple End-Entity Certificates ...................22
           3.3.10. Robustness ........................................22
           3.3.11. Optimizations .....................................23
   4. Use of Certificates in RFC 4301 and IKEv2 ......................24
      4.1. Identification Payload ....................................24
      4.2. Certificate Request Payload ...............................24
           4.2.1. Revocation Lists (CRL and ARL) .....................24
      4.3. Certificate Payload .......................................25
           4.3.1. IKEv2's Hash and URL of X.509 Certificate ..........25
           4.3.2. Location of Certificate Payloads ...................25
Show full document text